|
Earlier this month, ReversingLabs published a report on the current state of software supply chain security. They stated that the volume of such attacks using npm and PyPI code have increased by a combined 289% in the past four years. The research also cited two npm attacks as evidence—IconBurst and Material Tailwind.
ReversingLabs urges organizations, specifically npm and PyPI package users, to double down on securing their networks, and part of that could be better detection and blocking of access to suspicious and malicious web properties related to threats like IconBurst and Material Tailwind.
WhoisXML API researchers sought to expand the publicly available lists of indicators of compromise (IoCs) for both attacks. Our more in-depth foray aided by exhaustive WHOIS, IP, and DNS intelligence led to the following findings:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
The IconBurst attackers installed malicious npm modules into target systems, allowing them to steal sensitive data from various apps and websites. ReversingLabs identified 13 domains as IoCs, namely:
We began our investigation with a bulk WHOIS lookup for these domains, which revealed that only 11 had retrievable WHOIS records. A majority of these web properties (eight to be exact) were created just this year, two last year, and one as far back as 2010. They were spread across eight registrars—three were managed by Registrasi Neva Angkasa; two by CV Jogjacamp; and one each by ResellerCamp, WEBCC, Mat Bao Corporation, Web Commerce Communications Ltd., Hostinger, UAB, and Namecheap, Inc.
Of the seven that named their registrant countries, four were registered in Indonesia, two in Malaysia, and one in Iceland.
Only two of the IoCs—ionicio[.]com and arpanrizki[.]my[.]id—continue to host live content to this day based on our screenshot lookup results, which means they could still pose risks to unknowing users.
DNS lookups for the IoCs showed they resolved to 15 IP addresses, eight of which are:
Of these IP hosts, 14 originated from the U.S. and one from Singapore, notably different from their registrant countries.
Next, reverse IP lookups for the IoCs’ IP hosts allowed us to uncover nearly 2,400 possibly connected domains. Fourteen of the domains were classified as malicious by various malware engines. We named seven of these below.
Three of the malicious digital properties seemingly remain live—beorganfamlayer[.]xyz, which appears to be an e-commerce site; biz-necessity[.]com, which looks like a personal blog; and dogalpestil[.]com, a restricted website.
To identify more artifacts, we looked at the IoCs’ historical WHOIS records and found two unredacted registrant email addresses. One of these was used to register two of the publicly reported IoCs—ionicio[.]com and graph-googleapis[.]com. It’s also interesting to note that another domain connected to the said email address (i.e., api-xyz[.]com) bore a resemblance to yet another identified IoC (i.e., apiii-xyz[.]yogax[.]my[.]id).
The Material Tailwind report, meanwhile, enumerated three IP addresses—85[.]239[.]54[.]17, 135[.]125[.]137[.]220, and 46[.]249[.]58[.]140—as IoCs.
A bulk IP geolocation lookup for these IP addresses showed three distinct origin countries (i.e., Germany, the Netherlands, and the U.S.) and Internet service providers (ISPs) (i.e., BlueVPS OU, OVH SAS, and Serverius Holding B.V.).
Unlike IconBurst, however, we only found a single domain—parsee[.]xyz—hosted on one of the IoCs. Using the string “parsee” as a Domains & Subdomains Discovery search term led to the discovery of 14 possibly connected domains. These newly discovered digital properties only differed in that they had TLD extensions other than .xyz. We named seven of them below.
While none of them have been dubbed malicious by any malware engine, their striking resemblance to parsee[.]xyz could make them logical additions to the threat actors’ arsenal.
Judging from the widespread nature of the IconBurst and Material Tailwind networks and the additional artifacts our IoC expansion exercises uncovered, we haven’t seen the last of software supply chain attacks. That said, we second ReversingLabs’s call to action for organizations to shore up their defenses against web properties that serve as hosts to open-source repositories of weaponized npm and PyPI packages.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign